Incident response: Putting all the R’s in IR

It is well established that the ‘R’ in IR stands for “Response.” But given the challenges facing incident response teams today, IR could just as well stand for “It’s Rough.” The landscape is challenging, tools are multiplying, and the talent shortage seems insurmountable.

First of all, according to Cisco’s recent CISO Benchmark Study, 79 percent of security leaders are finding it challenging to orchestrate threat response in a multi-vendor environment. There has also been a drop from Cisco’s 2018 survey in the number of legitimate security alerts organizations are remediating – down from roughly 50 percent last year to just under 43 percent this year. All this means that incident response is not getting any easier: only 35 percent of security professionals find it easy to determine the scope of a compromise, contain it, and remediate it.

Attackers continue to innovate and come up with new attack types at a record pace. They’re so brazen that they even use Facebook and other social networks to share tools and sell stolen, personal information. Meanwhile, security teams struggle to keep up with this innovation, acquiring new technology to deal with every emerging threat.

IT infrastructure is too complicated, and resources are too scarce, to manage all of these tools and derive the intended benefits from them. Especially since, often times, security products don’t talk to one another – requiring the manual analysis and comparison of seemingly infinite alerts and logs to try to make sense of what’s going on.

But there is some good news in all of this. According to a Cybersecurity Almanac published by Cisco and Cybersecurity Ventures, Fortune 500 and Global 2000 CISOs are expected to reduce the number of point security products they are using by 15-18 percent this year. Additionally, our CISO Benchmark Study tells us that more security teams are using time to remediate as a success metric for their operations (48 percent compared to just 30 percent last year). Remediation is difficult, demonstrating that security teams are setting the bar very high for themselves.

This hopefully shows that organizations are allowing CISOs to think more strategically about security – and that the C-suite in general is perhaps realizing that it’s about more than just buying a bunch of products and hoping they work.

Three more R’s: readiness, recon, and remediation

In actuality, there’s more to the ‘R’ in IR than just ‘response.’ To effectively respond to attacks, organizations not only have to react when they occur, but also:

Be prepared for them in the first place. (Readiness.)

Have an efficient way of obtaining visibility into any threats that make their way in. (Recon.)

Mitigate attacks as quickly as possible. (Remediation.)

How do you master all these R’s? First of all, if your environment is made up of dozens of security technologies each performing siloed tasks and not sharing intelligence, you can’t really succeed. You will never have enough time, resources, and patience to piece all of this disparate information together and identify attacks before they rip through your environment.

At Cisco, we are constantly trying to figure out how to make security better to more effectively protect today’s businesses. Above all else – beyond all the latest features and capabilities – we focus on integrated security above everything. We don’t want our products to protect against just one type of attack, or secure just one area of the network. We want to cover you from edge to endpoint – and we want our products to work together to lessen the burden on you and your team.

Here are some of the newer ways we are helping to fortify organizations’ incident response plans, and putting all the R’s in IR.

Cisco Stealthwatch – A whole lot of readiness

Talk about being prepared. Cisco Stealthwatch has recently become the first and only security analytics platform to provide comprehensive visibility and threat detection across today’s modern infrastructure – including private, hybrid, and public multi-cloud environments. It automatically aggregates and analyzes security information across the entire enterprise to deliver a clear, understandable look at what’s going on 24/7. Stealthwatch prioritizes the most critical issues for the security team, and enables team members to easily drill down into any alerts that require further investigation.

Essentially, Stealthwatch serves as the eyes and ears of the network, using a combination of behavioral modeling and machine learning to pinpoint anomalies that could signify risk. It even detects threats in encrypted traffic without the burden of IT teams having to do decryption. In addition to monitoring on-premises infrastructure and private clouds, Stealthwatch can monitor all public cloud environments including Amazon Web Services, Google Cloud Platform, and Microsoft Azure.

Cisco Threat Response – Advanced recon and remediation

In the one year since we introduced our threat response platform, included for free with several of our security products, Cisco Threat Response (CTR) has become a foundation for fast, efficient incident investigation and response across the entire Cisco security architecture. It brings together threat intelligence from Cisco and third-party technologies, as well as Cisco Talos, via a single, intuitive console.

CTR reduces the need for security teams to shift between different interfaces and manually piece together data. If a threat is uncovered, it can be quickly remediated directly through CTR. The result is dramatically accelerated threat detection, investigation, and response.

This year, we unveiled a new browser plug-in for CTR to further simplify investigations. With the plug-in, if you are on a web site (such as the Talos blog) that includes information and observables on specific attacks, you can easily pull those observables into CTR to determine if the attack is present in your environment. It works with any web page that includes data on Indicators of Compromise (IOCs), allowing security analysts to quickly kick off the threat investigation process.

AMP for Endpoints – Speaking of recon and remediation…

Some of you may already be familiar with our Advanced Malware Protection (AMP) technology. But do you know that it can be used to proactively hunt for the riskiest one percent of threats in your environment to improve both security posture and operations? AMP for Endpoints provides a holistic view of all end devices on your network, including IoT devices. It continuously monitors and records all files to quickly detect stealthy malware.

AMP provides valuable insight into how malware got in, where it’s been, what it’s doing, and how to stop it. This greatly simplifies investigations and shortens incident triage and mitigation time. Once a threat is uncovered, you can quickly block it within AMP using just a few clicks.

Through integrations with other prominent Cisco security technologies, this investigation and remediation can also be extended to other parts of the network beyond just endpoints. AMP can see a threat in one area of your environment and then automatically block it everywhere else it appears.